CVE 9.3 CRITICAL

manga-image-translator Shared API Unsafe Deserialization RCE_CVE-2026-26215

February 11, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

AI Analysis

Unauthenticated remote code execution via unsafe deserialization in shared API mode

Basic Information

ID CVE-2026-26215

Source VulnCheck

Published Feb 11, 2026 at 22:18

Modified Feb 11, 2026 at 22:22

Affected Product

Vendor zyddnys

Product manga-image-translator

Affected Versions zyddnys manga-image-translator 0

CWE Classification

CWE-502

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor zyddnys

Product manga-image-translator

Version beta-0.3 and prior

References

{
    "lastseen": "",
    "description": "manga-image-translator version\u00a0beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.",
    "published": "2026-02-11T22:18:39.304Z",
    "modified": "2026-02-11T22:22:49.341Z",
    "type": "cve",
    "title": "manga-image-translator Shared API Unsafe Deserialization RCE",
    "source": "VulnCheck",
    "references": "https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/\nhttps://github.com/zyddnys/manga-image-translator/issues/1116\nhttps://github.com/zyddnys/manga-image-translator/issues/946\nhttps://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112\nhttps://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130\nhttps://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce",
    "id": "CVE-2026-26215",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "zyddnys manga-image-translator 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "manga-image-translator",
    "version": "0",
    "vendor": "zyddnys",
    "ai_description": "Unauthenticated remote code execution via unsafe deserialization in shared API mode",
    "ai_severity": "Critical",
    "ai_vendor": "zyddnys",
    "ai_product": "manga-image-translator",
    "ai_version": "beta-0.3 and prior",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply